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Introducción 


Quien es HTC: 
Fabricante taiwanés de móviles de gama media / alta. 
ODM desde 1997 hasta 2007 (i-mate, Qtek, etc...) 
Sistemas operativos Windows Mobile y Android (entre otros) 


Procesadores (ARM): 
Texas Instruments OMAP 850 
Intel PXA + Qualcomm MSM6250 
Samsung SC2442 + Qualcomm MSM6275 
Qualcomm MSM7200, MSM7201A, MSM7225,... 
Qualcomm MSM8260 (SnapDragon) 





Memorias "flash" 


NOR: 

- Celdas conectadas en paralelo 

- permite leer/programar los datos de cada celda 
individualmente. 


Ejemplos: M-Systems DiskOnChip G3/G4/H3 


NAND: 
- Celdas conectadas en serie (menor tamafio y menor coste) 
- se debe leer/programar por página 


Ejemplos: 
Samsung OneNand 
Samsung, Hynix, Micron, Toshiba... 





Formato de la NAND 


Cuando dumpeamos NAND tenemos que tener en cuenta esta 
información: 


- Lectura / escritura por página 

- Borrado por bloque 

- Cada bloque se compone de varias páginas 

- 1 página = 512 bytes lógicos / 528 bytes físicos 
(16 bytes usados para ECC y bad-block management) 
- byte 917 != OxFF --> Bad Block 


Según como dumpeamos, tendremos que “reconstruir” el 
dumpeo para eliminar la información de ECC y los bad blocks. 





; Qué información queremos recuperar? | 


MSISDN, SIM S/N, IMSI, IMEI 


PIM Data: Agenda de contactos, calendario, lista TO-DO, 
reminders, tareas, voice memos... 


Listado de últimas Ilamadas (entrantes, salientes, perdidas) y 
fecha/hora de éstas. 


Mensajes SMS y MMS (guardados en telefono y/o en SIM) 





; Qué información queremos recuperar? Il 


Aplication data: emails, ficheros adjuntos, browser history, 
twitts, docs, PDFs, etc... 


Fotos y videos (tomados con la camara del terminal) 
Ultima posición GPS conocida, coarse data 


Listado de WLANSs (SSID, BSSID, encryption key), donde se ha 
asociado el movil... 





Métodos de dumpeo por 


hardware 


Desoldar BGA 





Desoldar BGA (1) 








Desoldar BGA (II) 


Método "casero” 








Métodos de dumpeo por 


hardware 
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Dumpeo de la NAND sim 


acceder al sistema operativo 





Oo ninar: Voto NON 
sage: npw <address mm hex> 
Purpose: Read word 1n assigned address. 


Command: inpdw 
sage: npdw <address mm hex> 
Purpose: Read dword 1n assigned address. 











Dumpeo sin acceder al Sistema Operativo 


Qualcomm Tools: QPST, QXDM y CDMA Workshop 


to QIDE Professional (COM4 : Taiting) — Hemory Vierer 
File View Options Tools Window Help 


Command +| 
View [Memory Viewer <F4> 


LEDS AdE Os: 


To disable OS Core Dump View registratic Timestam 
'Auto-Launch Core Dump' View from the ( 





Refer to the User Guide for help (Help Menu /0.184 KB/s 0.056 KB/s 0 | 194.028 KB /7.85 Mins (00:24:15 7 





PSAS: Phone System Analysis Software (antiguo QMAT) 


QC Com Diag Window 


Codes (QC) | Modem Port (Sync) | Modem Port (Async) | CDMA (QC) Bootloader / Download Mode (QC) | EFS Browser (Qt | 


[Use 62504 hotfix 


| Use 6280 hotfix [05003E00000002 Send Cmd 
[” Use 72004 hotfix 
[” Use Intel Hex File [Read Rootkey Special Bootloader ” | 


[” Get Addr from Intel Hex File 


Y Enable Download Mode Bootloader + Downloadmodefunctions (values all in hex) 


[Y Send Bootloader 
Y Execute Bootloader [Read fui NAND using patched Loader ” 
Load at 
(hex) : | 00800000 TXCmd RX-Size 
: | 00000000 to | 8000000 | 05 | 0200 Run Function 


“Run Bootloaderfunctions Open Fiasher Interface 


=, QCOM fast download protocol targt 4 1 toshiba th58dyg0Zad € 


[Bootloader running .... 
IFound NAND : toshiba thS8dyg02a 


Download mode activated. 
finfo : 

Protocol ID:05 

Min Protocol ID : 01 
Maximum Write Size : 1000 
Mobile Number : F7 


4 tm + 


Select Log File 








rbmc |FileName [StartAddr [Len]]] 


cad back the memory content from the specified address to the host and save the data to 
specified file name. 


FileName : Full file path for save data of memory(default=c:tempiMem.nb). 


StartAddr : Start address of memory (default(hex)=A 0000000). 


Len : How many bytes will be read. And 1f not given value, 1t will be total ROM size on board 
- ((StartAddress & 0xOFFFFFFF) - (ROM base address(0) & 0x0FFFFFFF)). 





Dumpeo sin acceder al Sistema Operativo 
Desde Bootloader (SPL): 


Abusar del comando 'checksum': 


checksum [[StartAddr [Len]]] 


Return CRC checksum of RAM memory . 


StartAddr : Start address of ROM(default(hex)=A 0000000). 


Len : How many bytes will be calculated. 
default(hex)<pre> ROM total size - ((dwStartAddress & 0xOFFFFFFF) - 


(ROM BASE & 0x0FFFFFFF)) 


é Que pasa si pedimos el CRC de un sólo byte? ;-) 


DIY NAND Dumper: leer la NAND con 2 Ilamdas a checksum:. 





vid quo 


En un bootloader con restricciones (comandos checksum y 
rbmc no existen), debemos 'reemplazar' el bootloader en 
caliente aprovechando una vulnerabilidad del mismo: 


- Existe un stack overflow en todos los bootloaders de HTC. 
Reportado a HTC el ao 2007, todavia no lo han parcheado. 


- Haciendo Ilamadas recursivas al comando 'ruustart' podemos 
“Ienar” la pila, y sobreescrivir código del bootloader. 


- Usamos “stack spraying' con jumps relativos a nuestro 
shellcode para 'saltar a un bootloader modificado. 


+info: | 





0x80b00000 | xxxxxxxxxxx | N 
 Pocooorxxxx | > wdata buff 
0x80b10000 | xxxxxxxxxxx | / 


0x8c000000 | SPL-begins | 
| SPL SPL SPL | ME 
| SPL SPL SPL | MO 
[SPL SPL SPL | RY 
ESBIEESBISBI | 

0x8c040000 | SPL-ends || 





1) poner un patron de bytes conocido en la 
Ste (os 

2) checksum, para encontrar el offset del top 
de la stack y el tamafio de stack frame 

3) cargar codigo no firmado usando wdata -> 
invalid CERT error 

4) meteremos una IPL modificada para que 
no cargue la SPL de la nand i una SPL 
parcheada 

5) iterar comando 'ruustart' hasta llegar al 
final de la SPL: - primero padding con O0's. 

- despues shellcode: handler que ejecuta el 
loader q reside en RAM y salta al offset O 
para iniciar la IPL. - finalmente: spraying con 
branches relativos al shellcode 

7) Ilamar a una funcion q tenga el entry point 
alineado correctamente 





KFTL: (Windows CE Only) 


Kernel Independent Transport Layer (KITL): is a 
communication link between your development computer & 
wince enabled device for debugging purpose. 


The Platform Builder debugger and remote tools such as 
Remote File Viewer, Remote Registry Editor, and Remote 
Kernel Tracker use KITL. KITL exposes the device hardware to 
the kernel debugger and works independently of the board and 
transport (such as Ethernet, serial, or USB) to send and receive 
data between the computer and the device. 


source: MSDN 








Windows Embedded Compact 
powered device 


Device hardware 


Development computer 


Platform Builder 
debugger 


Host transport library 
(Ethernet, Serial, USB) 


Computer hardware 
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SMDK2410 Board (MCU S3C2410) Test Program Ver 1.1(20020801) FCLK = 202800000 Hz 
“ADC ADC with DMA Z:ADC TSP Seperate S:ADC TSP Auto 


:DHA M2M “DMA Worst Test 6:External DMA T:External Interrupt 
:TIC(KS24C080)INT 


:FIQ Interrupt 

STE 1Bit 

:«CSTN 8Bit On 
:TFT240320 16Bit 
:TFT640480 BSIP 
:MPLL MPS Change 
:PHS Idle 

:PHS STOP 

:RTC Alarm 

:SDI Write/Read 
:SPIO Slave Rx DHAI 
:SPIO Slave ExTx INT 
“UARTO RxiTx DMA 
“UARTI RxiTx Int 
:“UARTI AFC Rx 

“USB FIFO Test 

“Pl Card tEDs TD 
Stone Test 

“NAND View Page 


:TIC(KS24C0S0)POL 
“Change INT Priority 
:STN 2Bit 
«CSTN 12Bit 
:TET640480 
:TFT640480 Palette 
:MPLL On/0ff 

:PHS Idle(MNU) 

:PHS Power -0ff STOP 
:RTC Display 
SELVA Lit 

:SPIO Master Rx DMAI 
Timer Interrupt 
:VARTO Ex/Tx FIFO 
:UARTI ExiTx DMA 
:VART2 ExiTx Int 
IDT INT Request 
“Read Page Mode 

“ETC NEC Int 

:NAND Write 


1Bit 


Select the function to test: 





1Q 
14 
18 
22 
2h 
30 
34 
38 
42 
46 
50 
54 
8 
bZ 
bb 
70 
74 


Reco IIS UDAI341 
:VARTZ IrDA Ex 

:STN 4Bit 
:TFT240320 8Bit 
:TFT640480 8Bit 
:TET640480 HYSHWP 
:PHS Slow 

:PHS Idle Hard 

:PHS Power-0ff 100Hz 
:RTC Round Reset 
SPIO:-ReTls- POLI 
:SPIO Slave Tx DMAI 
:Timer Tout 

:VARTO AFC Tx 
:UARTI RxiTx FIFO 
:UART2 ExiTx DMA 


External Bus Reqest 


78:5WI 


82 
86 


:nBATT FAULT int 
:NAND ECC 


Play IIS VDAIS41 
IS:VARTZ IrDA Tx 

:CSTN 8Bit 

:TET240320 8Bit On 

:TET640480 16B1t 

:MPLL Change 

:PHS Hold 

“PHS SDRAM Init 

:PHS Measure Power 
ETRTo: Tick 

:SPIO Master Tx DMAI 

:SPIO Master RxTx INT 

“UARTO RxiTx Int 

:VARTO AFC Rx 

:VARTI AFC Tx 

:UART2 ExiTx FIFO 

“Nonálgined hÁccess 

External Wait 

:NAND View Bad Block 
87:NOR Flash Program 





Nandroid Backup desde recovery image 


Nandroid Backup is a set of tools and 
a script that will enable anyone who 
has root on their Android phone plus 
a recovery image with busybox and 
adbd running as root to make full 
system backups. 


Source: infernix(yxda-devs 





Eua cache.tar 


Es data.tar 
ml misc.img 
Fi nandroid.mds 


e recovery.img 


ES RE] 





Nandroid backup desde recovery image 


data.tar (data.img) contiene los datos del usuario. 


extraer montando la imagen yaffs2 en raw como dispositivo 
loop (requiere mtd-utils y el módulo de kernel de yaffs2) 


unyafis: extrae directamente el contenido del .img en el 
directorio local 


http://code.google.com/p/unyaffs/ 





Dumpeo de la NAND desde 


sistema operativo 


Windows Mobile 





WinCk TFFS API 


True flash file system or TrueFFS is a low level file system 
designed to run on a raw Solid-state drive. 


TrueFFS implements error correction, bad block re-mapping 
and wear leveling. Externally, TrueFFS presents a normal hard 
disk interface. 


TrueFFS was created by M-Systems, on well-known 
"DiskOnChip 2000" product line, who were acquired by Sandisk 
in 2006. 


A flash translation layer is used to adapt a fully functional file 
system to the constraints and restrictions imposed by flash 
memory devices. 


Source: Wikipedia 





itsutils pdocread (1) 


sage: pdocread [options] start [ length [ filename |] 

when no length is specified, 512 bytes are assumed 

when no filename 1s specified, a hexdump is printed 

-t : find exact disk size 

-1 : listall diskdevices 

-v  : be verbose 

-s OFS : seek into source file ( for writing only ) 

-b SIZE: specify sectorsize to use when accessing disk 

-B SIZE: specify blocksize to use when accessing disk 

-G SIZE: specify blocksize to use when transfering over activesync 

-u PASSWD : unlock DOC device 

-S BKIx: specify alternate disksignature ( e.g. BIPO, BKIA .. BKIG ) 
Source: 

-d NAME : devicename or storename 

-p NAME : partitionname 

-h HANDLE : directly specify handle 

either specify -d and optionally -p, or specify -h 


-n NUM : binarypartition number ( normal p if omitted ) 
-w |: read via windows disk api 
-o : read OTP area 
1f the filename is omitted, the data is hexdumped to stdout 
1f no length is specified, 512 bytes are printed 





itsutils pdocread (11) 


List NAND Partitions: 


$ pdocread.exe -I 

85.88M (0x55e0000) FLASHDR 

| 3.12M (0x511000) Part00 - image update kernel part. 
| 3.50M (0x380000) Part01 - regular kernel part. (XIP) 
| 41.38M (0x2960000) Part02 - IMGFS 

| 37.88M (0x25e0000) Part03 - User filesystem 

STRG handles: 

handle c34713fe 37.88M (0x25e0000) 

handle e348c912 41.38M (0x2960000) 

handle c348c8ee 3.50M (0x380000) 

handle 2348c7le 3.12M (0x31f000) 


Dump NAND Partitions: 


$ pdocread.exe -w -d FLASHDR -b 0x800 -p Part0O O 0x311000 Part00.raw 
$ pdocread.exe -w -d FLASHDR -b 0x800 -p Part01 O 0x380000 PartO1.raw 
$ pdocread.exe -w -d FLASHDR -b 0x800 -p Part02 O 0x2960000 PartO2.raw 
$ pdocread.exe -w -d FLASHDR -b 0x800 -p Part03 O 0x25e0000 PartO3.raw 





itsutils bkondisk 


Permite acceder a Samsung OnDisk Flash: 


copy bkondisk.exe to iwindows on your device, then: 
prun bkondisk [targetdir] 


will save all partitions on all volumes 1n files on [targetdir] 


Particiones que podemos dumpear: 


partnr attr start size (in blocks) 
piO.2: 00000002 00000002 00000005 00000020 gsm etc 
piO.3: 00000003 00000002 00000025 00000160 os 
piO.6: 00000006 00000022 00000001 00000004 spl 
piO.8: 00000008 00000001 00000185 00000264 userfs 





JumpSPL 


Aplicacion para WinCE que permite poner un bootloader en 
RAM y saltar a éste, sin necesidad de que esté flasheado en el 
dispositivo. 


- deshabilita la cache de instrucciones de ARM y el 
direccionamiento virtual 


(para entendernos: “mata” el kernel de windows CE, y deja el 


dispositivo como si acabara de arrancar la IPL, tras el início del 
hardware) 


+info: htt; 





Dumpeo de la NAND desde 


sistema operativo 


Android 





Dumpeo de NAND en Android 


Security OFF (S-OFF): 
(msecuflag - radio NVRAM flag que controla la "seguridad" de 
la NAND. 


é Como pasar de S-ON a S-OFF? 
- Engineering device (with engineering HBOOT) 


- unrevoked3 (para conseguir root) + AlphaRev 1.5 (parchea 
el HBOOT para que no Some o. 



































http ds unrevoked.com 
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Dumpeo de NAND en Android 


- Char driver interface to dump physical memory 


http://gitorious.org/androidfan- 
flash/kernel/commit/2ae61247915e2ae891fb9b22a2ea3415c4fec017 


Módulo de kernel que crea el dispositivo /dev/memdump, 
desde donde podemos dumpear el contenido de la NAND. 





That's all folks! 


Any questions”? 





